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METHOD FOR TRANSCRIBING AT LEAST ONE DATA 
RECORD FROM AN EXTERNAL DATA SOURCE 
TO A PROCESSOR UNIT AND PROCESSOR UNIT 

Field Of The Invention 

The present invention relates to a method for transferring at least one data record from an 
external data source to a processor unit, as well as the processor unit designed accordingly. 

5 Background Information 

According to the method described in German Published Patent Application No. 100 43 499, 
at least one data record, which may be, for example, program code or information stored in a 
memory of a processor unit for further use and then used in the course of a program, is 
transmitted to a processor unit such as a control unit of a motor vehicle. The at least one data 

10 record is transmitted together with additional information, for example as a cohesive data 
packet, from the data source to the processor unit. The processor unit loads the transmitted 
data into a buffer memory belonging to it. The processor unit then establishes contact with an 
external checking unit, in particular by remote data transmission, identifies itself with the 
external checking unit and transmits to the latter at least a portion of the additional 

15 information. On the basis of the transmitted portion of the additional information and the 

identity of the processor unit, the external checking unit verifies whether or not the use of the 
at least one data record in the processor unit is allowed. Depending on the result of this 
check, the processor unit transmits either an enable signal or a blocking signal. In the case 
when the blocking signal is transmitted, the at least one data record is deleted from the buffer 

20 memory. Otherwise the at least one data record thus transmitted is used in the processor unit. 

It is desirable if the data records stored in processor units such as the control units in motor 
vehicles are modifiable externally. This may be accomplished, for example, for the purpose 
of updating such control units without having to replace the control unit. Data records may be 
25 transmitted to the control unit via remote data transmission or via a suitable interface 

connected to the processor unit such as a diagnostic interface of a motor vehicle. The data 
records are provided on a data source, which may be data memories or data processing 
devices. 
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It is first important to ensure that only authorized data records are transmitted to and used by 
the processor unit. Any unallowed change in the data records or input of data records that 
have not been enabled should be prevented because using non-enabled data records may 
cause problems in operation of the processor unit or other processor units connected to that 
5 processor unit. Furthermore, the upload procedure should be as simple as possible. 

Summary Of The Invention 

In the method according to the present invention for transcribing at least one data record from 
an external data source to a processor unit having the features of Claim 1 , the at least one data 

10 record is transferred together with additional information from the external data source to a 
buffer memory of the processor unit. The reliability of using the at least one data record is 
checked on the basis of the additional information. A blocking signal is generated if the check 
reveals that use of the at least one data record is not allowed. The at least one data record is 
then deleted from the buffer memory. An enable signal is generated when the use of the at 

15 least one data record is allowed. According to the present invention, the additional 

information includes an identifier assigned individually to the processor unit, the validity 
check being performed in the processor unit. 

Additional information containing an identifier is thus attached to the data record. A check is 
20 performed in the processor unit to determine whether the identifier is valid, i.e., whether it 

conforms to certain check criteria. If this is the case, the enable signal is generated; otherwise 
the blocking signal is generated. The identifier is assigned individually to the processor unit, 
so an identifier valid for a given processor unit will be invalid for all other processor units, 
including those of the same design series. Data records may thus be transcribed individually 
25 for each individual processor unit, and data records may not be copied from one processor 
unit to another processor unit of the same design. The identifier is preferably a data word 
generated by a code word generator which may be a random generator in particular. The data 
word generated by the code word generator may be, for example, a sequence of characters or 
numbers such as a hexadecimal numerical sequence. 

30 

This procedure has the advantage that the check on the validity is performed in the processor 

unit itself and no manipulable data communication with other external devices is necessary 

for the check. Furthermore, a check may be performed continuously or periodically with the 

identifier in the processor unit to determine whether or not the version currently being used is 

35 valid. At the point in time of transcription of the at least one data record together with the 
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additional information to the processor unit, no other communication devices need be 
involved. Even when a remote data transmission from the vehicle is impossible, e.g., 
temporarily, an update may be performed and the at least one data record may be transferred, 
assuming it is valid. 

5 

According to an advantageous embodiment of the present invention, a signature is part of the 
additional information; the signature may also include the identifier used to prevent a 
replacement of the at least one valid data record, which is to be transferred together with 
additional information, with another data record, in particular one that is not valid. The check 
10 on the integrity and acceptability of the signature is then in particular also a part of the check 
on the validity of the transmitted data. 

According to a preferred embodiment of the present invention, an identifier is valid only once 
for checking the at least one transmitted data record stored in a buffer memory. This prevents 
1 5 the identifier from being intercepted in a transfer and then used for transcribing other 
unauthorized data records. 

According to another embodiment of the present invention, when the enable signal is 
generated, the at least one data record is transmitted from the buffer memory into a functional 

20 memory from which it is outputtable for processing purposes. This measure advantageously 
ensures that the data record is transmitted to the functional memory only at a point in time 
when its validity has already been checked with a positive outcome. Thus for transcribing 
another data record which is recognized as valid, the last version of the data record 
recognized as valid is always stored in the functional memory and read for use there. The 

25 data record stored in the functional memory is not affected by attempts to download invalid 
data records. This always ensures the availability of the processor unit. In addition, it is also 
possible for the identifier to be stored in the functional memory together with the at least one 
data record and for the particular identifier to be checked for validity when calling up a data 
record from the functional memory. This is possible even when the identifier is suitable only 

30 for a single check of a transcribed data record because the data record is now stored in the 
functional memory and is no longer stored in the buffer memory and a new identifier is 
necessary only for checking data stored in the buffer memory. This makes it possible to 
prevent manipulation of the data record stored in the functional memory, e.g., by exchanging 
the memory module containing the functional memory. This check may also be performed 
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only at periodic intervals, e.g., after starting the vehicle or after a predetermined number of 
calls. 

In another advantageous embodiment of a method according to the present invention, a list of 
5 code words is stored in a code word memory in the processor unit. The identifier transmitted 
together with the at least one data record is compared with the code word. It is found to be 
reliable if the identifier of the additional information transmitted with the at least one data 
record matches the code word and/or if the combination of the identifier and the code word 
conforms to a criterion to be checked. For example, the identifier and code word may be two 

10 key parts of a code, with the combination of code word and identifier together permitting 
encryption and/or decryption of a coded data sequence, so that it is possible to check on 
whether the code word and the identifier fit together. In a more extensive embodiment, a 
counter is provided in the processor unit and its counter content is stored. The counter content 
points to a code word of the code word memory. The counter is incremented before each 

15 check of an identifier of the at least one data record stored in a buffer memory, so that a code 
word may be used only once for checking newly downloaded data records. 

It is important that the list of code words is not outputtable or overwritable. For this purpose 
no protocol instructions which would allow reading from or writing to the memory area using 

20 the numbers via an external interface are allowed in the processor unit. Additionally or 
alternatively, the processor unit may be protected from access via hardware pins by 
embedding. The counter content must be permanently stored and must be preserved even 
without a power supply. The counter content may be stored in an EEPROM in particular. 
According to a preferred embodiment of the list of code words, they should take up the 

25 smallest possible memory volume in the processor unit; on the other hand, the length of the 
code word should be selected so that it is impossible to discover it by guessing or trial and 
error. The code word length of 32 bits, for example, i.e., four bytes or two hexadecimal 
numbers, would be one possible compromise between security and memory volume. The 
memory required for a code word list of 256 code words would then be one kbyte. Since a 

30 memory volume in the range of one Mbyte or more is also available in control units in motor 
vehicles, a memory volume of one kbyte is a relatively small volume. In an advantageous 
embodiment, the number of code words in the list should also be selected to be as small as 
possible but should be adapted to the demand for transcription of data records to the 
processor unit during its lifetime. Although a cyclic run through the list of code words may 
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also be possible, the code words could also be discovered by a third party due to their 
repeated use, which results in a certain laxity in terms of security. 

As protection against discovery of the required identifier to be transcribed, it is possible to 
5 provide for a new identifier to be necessary for each attempted transcription of at least one 
data record. On the other hand, it should be noted that the data transmissions may also have 
interference and therefore multiple transmission attempts may be required under some 
circumstances until the at least one data record and the additional information are transmitted 
to the buffer memory. To avoid having to input a new identifier into the additional 

10 information for each transmission attempt while at the same time using a large number of 
code words, it is possible to provide for the check on the identifier not to take place until the 
thoroughness and accuracy of the transmission of the data to the buffer memory have been 
ascertained. To do so, in particular the data stored in the buffer memory or a signature 
derived therefrom may be compared with the data of the data source. Confirmation by the 

15 operator may also be requested, in which case the operator must acknowledge the 

transmission as being in order before the check of the identifier is performed. Since a 
different code word is used and thus also spent with each check of the identifier in the 
processor unit, discovery of the required identifier by systematic trial and error is impossible. 

20 Additionally or alternatively, it is also possible that after a defined number of false attempts, 
an equal number of successive identifiers must also be transmitted as additional information 
and checked for validity. It is also conceivable to provide a delay element which increases the 
time required for an individual attempt so that not all possibilities may be checked out within 
a foreseeable period of time. 

25 

According to a preferred embodiment of a method according to the present invention, the 
processor unit is identifiable based on an identification sequence. The identification sequence 
is preferably also part of the additional information and may be used in checking the validity 
of the at least one data record. By linking the identification sequence to the additional 
30 information, it is possible to check on whether the at least one data record is also intended for 
input into the processor unit. The identification sequence is in particular a character sequence 
which may be read in the processor unit but may not be overwritten; it is assigned 
individually to the processor unit and is issued only once and thus differentiates the processor 
unit from all other processor units of the same design. 
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According to an advantageous embodiment, to perform the method according to the present 
invention, valid identifiers, preferably in the form of a list, are stored in an identifier server 
assigned to the corresponding processor unit, e.g., via the identification sequence, for at least 
one control unit, but preferably for a plurality of control units. The counter content of the 
5 counter of the processor unit is preferably stored here together with the identifiers, so that the 
code word server always knows the next identifier to be used, which may be transmitted to an 
authorized party on request, for example. It is possible for the authorized party to request the 
required identifier from the identifier server and then establish the link between the identifier 
and the other additional information as well as the at least one data record. It is also possible 

10 for the authorized party to transmit the data required by it to the identifier server and then to 
process the at least one data record and the additional information in the identifier server in 
particular using additional security measures such as encryption and addition of signatures. A 
total data record to be transmitted to the buffer memory is generated and then is transmitted 
to the authorized party for input into the processor unit or is transmitted directly to the 

1 5 processor unit. In the latter option, a check may be performed in the identifier server to 

determine whether it is allowed to input the at least one data record into the processor unit 
before the additional information has been appended to the identifier. 

If the identifier is transmitted to the data source, it is only possible to check on whether it is 
20 authorized to generate and/or transcribe allowed data records. Due to the required query at 
the identifier server for determining the required identifier, it is possible to document a 
history of accesses in the identifier server. It is then possible to trace the accesses back. 
Therefore, e.g., in cases of misuse of identifiers that have been issued, it is possible to 
ascertain the source of the misuse. 

25 

A processor unit according to the present invention has a buffer memory and an overwritable 

functional memory, both of which are used for storing at least one data record. The functional 

memory is accessed during the operation of the processor unit. At least one data record 

together with additional information is transferable to the buffer memory via an interface. A 

30 check unit for checking the validity of the at least one data record on the basis of an identifier 

contained in the additional information according to one of the preceding methods is 

contained in the processor unit. According to a preferred embodiment of the present 

invention, the processor unit has a read-only code word memory. Code words are stored in 

the code word memory. A counter having an incrementable counter content is assigned to the 

35 code word memory. The counter preferably points to a code word in a list of code words of 
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the code word memory, in particular of code words that may be used only once. The 
processor unit in particular is individualized via an identification sequence. In the case of a 
processor unit according to the present invention, this is preferably a control unit for a motor 
vehicle. 

5 

Brief Description Of The Drawings 

Figure 1 shows schematically a block diagram of the identifier server, the data source and the 
processor unit. 

10 Figure 2 shows a flow chart of a method according to the present invention. 
Detailed Description 

Figure 1 shows schematically the functional elements that cooperate in implementing a 
method according to the present invention. At least one data record 12 is to be transmitted 
15 from data source 10 to processor unit 20. Data source 10 is, for example, a data processing 
device which is prepared in a factory or service shop, while processor unit 20 may be a 
control unit in a motor vehicle. In addition, an identifier server 1 8 which is also required is 
provided and managed centrally by the automobile manufacturer and thus ensures good and 
reliable access control to the code words. 

20 

Processor unit 20 has an interface 21 for transcribing data. Buffer memory 22 is used for 
storing the data incoming at interface 21. The validity of the data stored in the interface is 
checked in checking unit 23, which accesses an element of the list of code words 25a, 25b, 
25c, 25d of code word memory 25 via counter 24. If the data is recognized as valid, it may be 

25 transferred in a controlled manner via the checking unit from buffer memory 22 into 
functional memory 26. A central computer 27 of the processor unit, a CPU, accesses 
functional memory 26 to process tasks. Programs that are capable of running on CPU 27 may 
be stored in functional memory 26 with suitable encryption along with information that is 
necessary during the execution of a program such as parameter values, engine characteristics 

30 maps and the like. Programs as well as information used in running programs may therefore 
be input to processor unit 20 by a method according to the present invention. The processor 
unit is identifiably individualized by identification sequence 14, which is readably stored. 

Data source 10 is a total data record 1 1 which is to be transcribed to processor unit 20. Data 

35 source 10 may be data processor units, shop instruments or data media, in particular read- 
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only data media. Total data record 1 1 is divided into at least one data record 12, which is to 
be introduced into functional memory 26 and contains the program code and/or the 
information required during the running of a program plus additional information 13. The 
additional information includes at least one identifier 15b, but may also contain other 
5 information such as an identification sequence 14. 

In identifier server 18, one identifier data record 19 is stored for a plurality of processor units 
20. Identifier data record 19 is identifiable via identification sequence 14 and is assignable to 
processor unit 20 having the same identification sequence 14. An identifier data record 19 

10 contains a counter 24 whose counter content is incremented each time an element is called up 
from the list of identifiers 15a, 15b, 15c, 15d of identifier memory 10. In addition, there is a 
protocol data file 16 in which the output of each individual identifier 15a, 15b, 15c, 15d to a 
data source 10 together with the receiver, the transmission path and the point in time of the 
transmission, for example, are recorded. The transmission of information between identifier 

15 server 18 and data source 10 may be accomplished by remote data transmission, e.g., 

wireless, Internet or the like. In the first examples of processor unit 20, the list of identifiers 
15a, 15d of code word memory 15 and the list of identifiers 25a, 25d of code word 
memory 25 are generated using data and stored in corresponding memories 15, 20. 

20 Figure 2 shows the flow chart of a method for transmitting at least one data record 12 to 
processor unit 20, as implementable, for example, in a configuration of computer 20, data 
source 10 and identifier server 18 according to Figure 1. Steps 201 through 205 illustrate the 
steps performed before the actual transmission of the at least one data record 12, while steps 
206 through 212 are the steps performed in the actual data transmission. 

25 

According to step 201 of the method, the at least one data record 12 which is to be 
transmitted to processor unit 20 is made available. According to step 202, processor unit 20 is 
then identified, e.g., by readout of identification sequence 14 over interface 21. Alternatively, 
the identification may also be performed manually by reading identification sequence 14 
30 which is readably stored in processor unit 20 and by detecting it manually or via an optical 
reader. 

According to step 203, identifier server 18 is then queried for the required identifier. The 

identification sequence previously read is therefore transmitted to the identifier server. On the 

35 basis of the identification sequence, identifier data record 19 assigned to specific processor 
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unit 20 is accessed in the identification server. It is also possible here for the current counter 
content of counter 24 of the processor unit to be transmitted for the purpose of 
synchronization of the counter contents. A check is performed to determine whether it is 
permissible to transmit the identifier to the inquiring unit; if this is not the case, access is 
5 refused and the method is then terminated. A check may also be performed to determine 
whether data records 12 which are intended for transcription have been enabled and are 
allowed to be transcribed. This transfer thus takes place only to an authorized and identified 
inquiring unit. 

10 If allowed according to step 204 of the method, valid identifier 15b of identifier list 15 is 

output next. Counter 24 of identifier server 18 is first incremented, but before that, there may 
be a matching to a transferred counter content so that the counter content points to the next 
identifier which has not yet been used. According to the counter content which then prevails 
(which is 2 in the example shown in Figure 1), an identifier 15b of identifier memory 15 

15 assigned to the counter content is read and transmitted to the data source. At the same time, 
protocol data file 16 is supplemented by the information assigned to the new query of the 
identifier. 

According to step 205, complete data packet 1 1 is then generated in data source 10. The 
20 complete data packet is composed of the at least one data record 12 and additional 

information 13 assigned to it; in the exemplary embodiment depicted in Figure 1, this is made 
up of identifier 15b transmitted from identifier server 18 and identification sequence 14; 
additional information 13 may also contain additional data. Thus on conclusion of step 205, a 
total data record 1 1 is available and may be transmitted to processor unit 20. 
25 The actual transcription of the at least one data record 12 to processor unit 20 may take place 
at a separate time and place from these preparatory steps. To do so, according to step 206, 
first complete data packet 1 1 is transmitted via interface 21 to buffer memory 22. The check 
of the transmitted data for validity is started by checking unit 23 by terminating the 
transmission and optionally after confirming the successful conclusion of the transmission 
30 procedure, which may also be generated by an operator, for example. 

For this purpose, according to step 207, checking unit 23 first accesses counter 24, whose 
counter content is incremented accordingly with this access. The counter content points to a 
code word 25a, 25b, 25c, 25d of code word list 25 according to step 208; in the case shown in 
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Figure 1 at counter content 2, to code word 25b, which is then transmitted back to checking 
unit 23. 

According to step 209, a check is performed on the basis of code word 25b and identifier 15b 
5 to determine whether the at least one data record 12 is valid and may be stored in the 

processor unit. The check may include in particular a comparison to look for a match between 
code word 25 and identifier 15b. If it is found according to step 210 that the data record is not 
valid, then the blocking signal is generated and the program jumps back to step 211. 
According to step 211, the data stored in buffer memory 22 is then erased and the method is 
10 terminated without transferring the at least one data record 12 to functional memory 26. Thus 
the at least one data record 12 cannot be used in central processor CPU 27 of processor unit 
20. The transmission is thus terminated unsuccessfully. 

If validity is recognized in step 210, the enable signal is generated and the program jumps to 
1 5 step 212 and at least the at least one data record is transmitted from buffer memory 22 to 
functional memory 26. In its operation, central computer 27 of processor unit 20 accesses 
functional memory 26, taking into account the data stored in functional memory 26, which 
may include both program code for central processor 27 and information queried in executing 
a program, e.g., engine characteristic maps and control parameters. During this transmission 
20 procedure, data contained in the functional memory and to be replaced may be overwritten. 
To do so, functional memory 27 may be in particular a flash memory which may be supplied 
with new data by flashing. The transmission method is then terminated. 
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